CVE-2025-11537— Keycloak-server: sensitive headers shown in the http access logs
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-11537
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Keycloak-server: sensitive headers shown in the http access logs
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract these credentials (e.g., bearer tokens, session cookies) and use them to impersonate users, leading to a full account compromise.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
日志输出的转义处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keycloak 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在安全漏洞,该漏洞源于当日志格式配置为详细用户提供模式时,敏感标头会以明文形式泄露到日志中,可能导致具有日志文件读取权限的攻击者提取凭据并冒充用户,造成账户完全接管。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | - | cpe:/a:redhat:build_keycloak: |
II. Public POCs for CVE-2025-11537
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-11537
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: Red Hat Build of Keycloak
- CVE-2026-7500
Org.keycloak.keycloak-services: improper access control on k - CVE-2026-37980
Org.keycloak.forms.login: keycloak: keycloak: arbitrary code - CVE-2026-37977
Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: - CVE-2026-4874
Org.keycloak.protocol.oidc.grants: org.keycloak.services.man - CVE-2026-4633
Keycloak: keycloak: user enumeration via differential error
Same vendor: Red Hat
- CVE-2026-42011
Gnutls: gnutls: security bypass due to incorrect name constr - CVE-2026-42010
Gnutls: gnutls: authentication bypass via nul character in u - CVE-2026-6420
Keylime: keylime: security bypass due to hardcoded tpm quote - CVE-2026-34956
Openvswitch: open vswitch: denial of service via malformed f - CVE-2026-34002
Xorg: xwayland: x.org x server: information disclosure or de
Same weakness: CWE-117
- CVE-2026-6494
Aap-mcp-server: aap mcp server: log injection allows social - CVE-2025-14684
IBM Maximo Application Suite - Monitor Component uses Log Fo - CVE-2025-59784
Log Pollution - Control Characters Not Escaped - CVE-2025-12755
Multiple vulnerabilities in IBM MQ Operator and Queue manage - CVE-2026-1337
Insufficient escaping of unicode characters in query log
V. Comments for CVE-2025-11537
No comments yet